IETF Logo Mail Archive

[TLS] Re: Disallowing reuse of ephemeral keys

Richard Barnes <rlb@ipv.sx> Thu, 12 December 2024 18:00 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5A8BC18DBAD for <tls@ietfa.amsl.com>; Thu, 12 Dec 2024 10:00:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBr_mG5-GhTb for <tls@ietfa.amsl.com>; Thu, 12 Dec 2024 10:00:08 -0800 (PST)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33246C180B47 for <tls@ietf.org>; Thu, 12 Dec 2024 10:00:08 -0800 (PST)
Received: by mail-io1-xd33.google.com with SMTP id ca18e2360f4ac-844e1020253so24900139f.3 for <tls@ietf.org>; Thu, 12 Dec 2024 10:00:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1734026407; x=1734631207; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+nmUg0hr9a4IJqjtvtkLqxWfLAcYbPEidP7dGRUAGBQ=; b=DGCpUDMwBLJKTRIwlO51/wpubXzT8ghM0iux4JtZWMe7KZRKRbP2Aheki+ureL9lIZ qqGAsOP+lZx14cYNyAMAsF0gfNRFsJ8ac0xMkHnPn/BmNh4eHSCsVKM9QixdoDsiJgS/ YbLMOReXIRh1uButlXkJn2x9oYcxSEbiKqTUO88KL8KalU30Us+tW+3m+WtFyBy1azqQ POMhRBQf+A0HDI8FEvmP4RI1BaYVonFmE5fdn2YgIB9DTzdQUzN9lByBJ/x+LK52jEgO Sy8nIjBIDFxVQH4XlnsY8FRw1K6idR0H5edBo0lPju+t8pw0oMdNWdhL26OxUggyeLAm 21cw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734026407; x=1734631207; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+nmUg0hr9a4IJqjtvtkLqxWfLAcYbPEidP7dGRUAGBQ=; b=cY2ddrpb1SStGvBkaeapJ3VfaYMQgb4L/gkuZ52CqKLJ/UHISPKlf8R1cAIXeP3jkQ hW9fWAfZZWP/Hz8CeOB3cguysjPJMNiax2uOIjrvCMVfboHQC6ZGQzhzQmEl1kqu+ibG Kx+i9vMHa2nXvaNnYcRsYyHSV/qmOJZd7sfWLfnnfB8VJ4FRzGw9F+o3wUuPCNEJLvHR xMeDJILM1FJhqoaNWGonKDKFCq+kyzyqxMARbAkQIghPumHg1fke+G4zc6Yiz05YQJnI dHQRHMSGF7HjtrECXk9p29snK3rcsthxbceVZBFRsKY2PmF6WsyZt2VtVGQv/RGQMo75 X38Q==
X-Gm-Message-State: AOJu0YyETs6N4ru8zvmsKhqnMXg9K2yMFdSXoqXTH4nrgNhBPCX1aX0v 6IQ9vlCIUkhrJrHxQQdZDZQX2ezHr3FXEdhZYDASkP4l6FugLjLkdtUfbfcwKvm0zPhazmL0Z1m ly0zEOEQjWg7/FyifB9vIDwzZtCcrW5jtD5a8QwzNNWGmZPK1Q8c=
X-Gm-Gg: ASbGnctWaHkXJDCA0n6Dh8gp3O2a9LstCzMYTXsF9eCf2H/O5vGfmODy1XmOJs1JveW 7t4t1xXYFPWFUF+go3Uh29iyO6ZCkzjjOD5qPCMg=
X-Google-Smtp-Source: AGHT+IEFwDM9rwgZHse5XMss4uT4YoH7c50O/C47CaWoa6nzgS+creCzWAPlPkAWHT0H4WhIOXuZbjPSuiHPrL5BUWo=
X-Received: by 2002:a05:6e02:1a25:b0:3a7:dee4:c423 with SMTP id e9e14a558f8ab-3ae55ffa29cmr10407525ab.9.1734026407013; Thu, 12 Dec 2024 10:00:07 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoCHnXZzzoAFT8GGmByr=7y1j5wM3ptPc4_JBF3FhtVNmQ@mail.gmail.com> <bf28dd19-0534-4403-8e20-50bcbbc0fcdd@app.fastmail.com>
In-Reply-To: <bf28dd19-0534-4403-8e20-50bcbbc0fcdd@app.fastmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 12 Dec 2024 12:59:55 -0500
Message-ID: <CAL02cgQ9610CzMfcJEPcfpDRemyvAh3-AEH=GZbmV4QdWtQCXA@mail.gmail.com>
To: Filippo Valsorda <filippo@ml.filippo.io>
Content-Type: multipart/alternative; boundary="00000000000005932a0629167c71"
Message-ID-Hash: HA3X32XYFOPW6UAMRVWXDBHF3ODQ6ZG3
X-Message-ID-Hash: HA3X32XYFOPW6UAMRVWXDBHF3ODQ6ZG3
X-MailFrom: rlb@ipv.sx
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Disallowing reuse of ephemeral keys
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Pes-Hv2jzl9vKlGl-HQz5hSzP8M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

My preference order would be 3 > 1 >> 2.

3 seems like it encodes the expectation of most people for what the
protocol means.  If you're using a cipher suite labeled something like
"ECDHE", it's reasonable to expect that it's actually ephemeral, i.e., that
there's not key material hanging around afterward that could compromise the
session.  Allowing key reuse (even tacitly) allows one side to silently
violate that invariant.  I'm not worried about backward compat, since (a)
it's wire compatible, and (b) any change here will be a separate RFC, so
people who care about validating can ask specifically "do you comply with
RFC XXXX"?

1 would be the next most plausible fallback, on the general principle that
IETF specifications define externally visible behavior, and this is not.

We should not do 2 because as Filippo says, there's no technical reason for
it.



On Thu, Dec 12, 2024 at 12:54 PM Filippo Valsorda <filippo@ml.filippo.io>
wrote:

> I support some variation of 2 or 3, depending on what encounters the most
> resistance. I agree there is no technical reason to disallow it for e.g.
> X25519MLKEM768 and not X25519, but in practice it might be easier to set a
> new rule for something that's still being rolled out and still a draft.
>
> Both ECDH and KEMs support key share (or public key) reuse *in theory*
> but in practice it makes implementation issues much more likely to be
> practically exploitable, and the hypothetical performance gain of reuse is
> marginal. The spec should defend against that and point implementations
> towards the safer course of action.
>
> As always, there is no protocol police, so implementations that want to
> risk shooting their foot off will be able to do so, but they will be
> off-spec, which is a useful signal.
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.30.2 | Report a Bug | By Email | System Status